table-top exercise for cyber security and data

What is Public Sector Data Security?

Data Security is the process of securing your organisation’s data from unauthorised access and data breaches. Public Sector organisations collect, store and manage some of the most sensitive data, such as personal and financial information. So, are you doing ensure to secure your data in 2021?

Our insight on why cyber security is more important than ever in 2021 tells you that your employees will always be your most significant risk factor. The mistake that organisations make is not assessing the people and processes before putting the technology in place. These are the three pillars of cyber security. Without proper processes and trained staff, you will create exploitable vulnerabilities. However, before you train your staff, it’s important to get your data strategy and processes correct.

Below, you will find some actionable steps that will be useful in securing your data and helping you to prepare for a cyber security event.

Regularly Review Your Business Continuity Plan

Your Business Continuity Plan (BCP) should position your organisation to recover from business interruption. This could be a natural disaster, large-scale IT system outage or a cyber security event. Without regularly reviewing your BCPs and updating them with the latest information, you could find yourself unprepared for new problems that will arise. When it comes to cyber and securing your infrastructure from internal and external threats, a BCP is critical in getting back up and running swiftly. Your organisation will come under threat; it’s about how you respond that makes the difference.

Conduct Table-Top Exercises

Table-top exercises improve your capabilities to respond to real events. With ever-changing scenarios, such as cyber security, your processes should be regularly checked for operational efficiency and effectiveness. Do your staff know the role that they play if your organisation comes under cyber attack where you need to recover lost data, or are locked out of your systems?

We encourage a top-down responsibility for cyber security. You must be at the table when these exercises are being planned out. With the financial and brand impacts of a cyber security event being so large, and the ICO looking to hold directors directly responsible, you can’t be pointing fingers. You must ensure that your organisation is best protected.

Data Location and Classification

Do you know where your data is located? Whether on-premise or in the cloud, it is still your responsibility. However, do you know where your data is, geographically? In July 2020, the European Court invalidated the EU-US Privacy Shield agreement, which emphasises the requirement to know the location of your data.

Another weakness that is often overlooked is your data classification policy. For example, if your organisation is targeted and your backups are encrypted, do you know what was held there? Many organisations are unsure. When working on your data backup and archiving strategy, it’s not always about protecting the things that you immediately think of. Then think about how much data is stored in one location. Storing all of your data in one place can make you an attractive target for hackers. Start by assessing what you are currently protecting and why – you will soon find the gaps.

The Rushed Move to Cloud

When the pandemic hit in 2020, there was a rush to move systems to cloud. Often for the betterment of services to citizens, or as a temporary measure due to the lack of time. However, now is the time to take a step back to check that everything was done correctly. You made the changes to serve your citizens in the short-term, but are the solutions right for the long-term? This is where your BCPs, Table-Top Exercises and Data Classification policies should guide you.

You must be aware of when it is the right option to move to the cloud. ‘Cloud-first’ doesn’t mean that cloud is the right option every time – it’s all dependent on what you want to leverage the cloud for, there’s no one answer that will suit everybody. Allow your data classification policy to guide you on where you should be storing data and how it is backed up vs your organisation’s appetite for risk.